Safari, other mobile browsers affected by address bar spoofing flaws

Security researcher Rafay Baloch has discovered address bar spoofing vulnerabilities in several mobile browsers, which could allow attackers to trick users into sharing sensitive information through legitimate-looking phishing sites.

address bar spoofing mobile

“With ever growing sophistication of spear phishing attacks, exploitation of browser-based vulnerabilities such as address bar spoofing may exacerbate the success of spear phishing attacks and hence prove to be very lethal,” he noted.

“First and foremost, it is easy to persuade the victim into stealing credentials or distributing malware when the address bar points to a trusted website and giving no indicators forgery, secondly since the vulnerability exploits a specific feature in a browser, it can evade several anti-phishing schemes and solutions.”

The address bar spoofing vulnerabilities and affected mobile browsers

Unlike desktop browsers, mobile browsers are not great at showing security indicators that might point to a site’s malicious nature. In fact, pretty much the only consistent indicator is the address bar (i.e. a suspicious-looking URL in it).

So if the attacker is able to spoof the URL and show the one the user expects – for example, apple.com for a phishing site that impersonates Apple – chances are good the user will enter their login credentials into it. The vulnerabilities discovered by Baloch permit exactly that, and affect the:

  • UC Browser, Opera Mini, Yandex Browser and RITS Browser for Android
  • Opera Touch, Bolt Browser and Safari for iOS

“Exploitation all comes down to ‘Javascript shenanigans’,” noted Rapid7’s Tod Beardsley, who helped Baloch disclose the flaws to the developers of the affected browsers.

“By messing with the timing between page loads and when the browser gets a chance to refresh the address bar, an attacker can cause either a pop-up to appear to come from an arbitrary website or can render content in the browser window that falsely appears to come from an arbitrary website.”

Fixes for some, not for others

As 60+ days have passed since the vendors were appraised of the existence of the flaws, Baloch released some details and several PoC exploits.

In the meantime:

  • Apple and Yandex pushed out fixes
  • Opera released security updates for Opera Touch and is expected to do the same for Opera Mini in early November
  • Raise IT Solutions planned to release a fix for the RITS Browser this week, but hasn’t yet
  • UCWeb (the creators of the UC Browser) haven’t responded to the report, and it’s doubtful whether the creator of the Bolt Browser knowns about the vulnerabilities, as they haven’t been able to contact him (disclosure notification bounced when sent to the support email listed)

Users should implement the offered updates (if they don’t have the “auto-update” option switched on). Those who use browsers that still don’t have fixes available might want to consider switching to a browser that’s more actively developed/patched.

But all should be extra careful when thinking about clicking on links received via text or email from unknown sources. These flaws have been remediated, but other similar ones will surely be discovered in the future – let’s just hope it’s by researchers, and not attackers.

How secure is your web browser?

NSS Labs released the results of its web browser security test after testing Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera, for phishing protection and malware protection.

web browser security

Key takeaways

  • Phishing protection rates ranged from 79.2% to 95.5%
  • For malware, the highest block rate was 98.5% and the lowest block rate was 5.6%
  • Protection improved over time; the most consistent products provided the best protection against phishing and malware.

Email, instant messages, SMS messages and links on social networking sites are used by criminals to lure victims to download and install malware disguised as legitimate software (a.k.a. socially engineered malware). Once the malware is installed, victims are subjected to identity theft, bank account compromise, and other devastating consequences.

Those same techniques are also used for phishing attacks, where victims are lured to websites impersonating banking, social media, charity, payroll, and other legitimate websites; victims are then tricked into providing passwords, credit card and bank account numbers, and other private information.

In addition, landing pages (URLs) from phishing websites are another way attackers exploit victim’s computers and silently install malicious software.

Protecting against malware and phishing

The ability to warn potential victims that they are about to stray onto a malicious website puts web browsers in a unique position to combat phishing, malware, and other criminal attacks.

To protect against malware and phishing attacks, browsers use cloud-based reputation systems that scour the internet for malicious websites and then categorize content accordingly, either by adding it to blocklists or whitelists, or by assigning it a score.

“As a result of the COVID-19 pandemic, employees have been forced to work from home and now have unprecedented remote access to corporate resources. Threat actors are shifting tactics to target these remote employees who may not benefit from corporate protection. This makes the protection offered by web browsers more important than ever,” said Vikram Phatak, founder of NSS Labs.

Tested browsers

  • Google Chrome – version 81.0.4044.113 – 81.0.4044.138
  • Microsoft Edge – version 83.0.478.10 – 84.0.516.1
  • Mozilla Firefox – version 75.0 – 76.0.1
  • Opera – version 67.0.3575.137 – 68.0.3618.125